How to stop or disable aws config recorder in Control Tower

Question

We have control Towel account, In that Control Tower one of account has enabled aws config service from few weeks. We are tying to disable the service but it showing the error as "You do not have suffcient permission to perform this action". As i have the admin level privileges, I'm able to enable and disable the aws config service in other control tower account but this issue was facing in this particular account.

Satheesh Kakarla
a year ago
Thanks for the comments, I have disabled the config long back ago with your inputs. I just modified the SCP policy and stoped the AWS config.

Accepted Answer

When you've got full administrator access but are still getting denied, see if there is a Service Control Policy (SCP) attached to the account or organizational unit. Your permissions are the overlap between what the SCP allows/denies and what your IAM policies allow/deny.

When you enable AWS Control Tower, it automatically applies guardrails, including preventing such actions as disabling the AWS Config recorder, which makes sense since that is an important tool for maintaining compliance.

Answer

This is a [mandatory preventative control](https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-controls.html) as a part of Control Tower implemented via an SCP.

Answer

Is the operation prevented by the SCP?  
Check the SCP of the OU to which the account belongs.  
If guardrails are set up on the control tower, they may be rejected by SCP.  
https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-controls.html

How to stop or disable aws config recorder in Control Tower

Relevant content